基于系统调用属性的程序行为监控

程序的行为轨迹常采用基于系统调用的程序行为自动机来表示.针对传统的程序行为自动机中控制流和数据流描述的程序行为轨迹准确性较低、获取系统调用上下文时间开销大、无法监控程序运行时相邻系统调用间的程序执行轨迹等问题,提出了基于系统调用属性的程序行为自动机.引入了多个系统调用属性,综合系统调用各属性的偏离程度,对系统调用序列描述的程序行为轨迹进行更准确地监控;提出了基于上下文的系统调用参数策略,检测针对系统调用控制流及数据流的行为轨迹偏离;提出了系统调用时间间距属性,使得通过系统调用及其参数无法监控的相邻系统调用间的程序行为轨迹在一定程度上得到了监控.实验表明基于系统调用属性的程序行为自动机能够更准确地刻画程序行为轨迹,较传统模型有更强的行为偏离检测能力.

Program Behavior Monitoring Based on System Call Attributes

The automaton of program behavior based on system call is often used to model program behavior. The automaton of program behavior based on system call attributes is proposed, which overcomes some drawbacks of traditional automaton of program behavior, such as low accuracy of program behavior trace modeled by control flow and data flow of system calls, high time overhead of capturing the system call context, and inability to monitor the program behavior between adjacent system calls. First of all, several system call attributes are introduced and the program behavior trace modeled by system call sequence can be monitored more accurately by considering the deviation degrees of system call attributes comprehensively. Secondly, system call arguments policies based on context are proposed to monitor the program behavior aiming at control flow or data flow. Thirdly, the time interval attribute of system call is presented and the program behavior trace between adjacent system calls, which cannot be monitored by system call and its arguments policies, can be monitored to some extent. The experimental results show that the automaton of program behavior based on system call attributes can model the program behavior more accurately and has better deviation detection ability of program behavior than traditional models of program behavior.